On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote: > On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote: > > > How do you, especially those who admin systems that are always being > > > hacked at, generate strong passwords that meet the above? I've > > > googled and found some ideas but if I use the same method, well, how > > > many others are using that same method, if you know what I > > > mean. ;-) Just looking for ideas. > > > > You could use a password generator to keep creating random passwords > > until it comes up with something you like the look of, then learn it by > > rote. I did that some time ago - it must be about time I did it again > > to make another one. > > https://xkcd.com/936/
Not strictly true ... the crackers would probably use rainbow tables attacks first. Also, it isn't fair to compare an 11 character passwd against a 25 character passwd. For the *same* number of characters used in any given passwd, a random lower/upper/numerical/symbol passwd will provide an exponentially higher degree of difficulty in cracking it with brute force, than one which uses only lower case dictionary words. Anyway, these days many attacks are focused on OS or hardware vulnerabilities which have been baked in by design, rather than brute force attacks. Any financial company worth their salt are employing 2-factor authentication and account lockups to stop brute forcing of users credentials. So, guarding against your own OS compromise is more important than individual website credentials. You will be surprised how many people are still using passwds like: password password1 arsenal manchesterunited2018 fido on websites which store their credit card details. O_O You may want to take a look at app-admin/apg and to mitigate against your CPU's lack of randomness use sys-apps/haveged. Combining multiple outputs of apg should arrive at a passwd which is more secure than not. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
